Security
Banno offers multiple features to ensure authentication of your end users, as well as keep their information safe and secure.
Self-enrollment
End users can enroll themselves without needing to go through your institution for that process. First-time end users can select First time user? Enroll now. on the sign-in screen, which displays an enrollment wizard where they enter their information, complete 2FA, accept the user agreement, and create credentials and a PIN. A tutorial then appears to walk the new end user through the app.
Two-factor authentication
Banno uses two-factor authentication (2FA) to keep your end users’ information safe by adding an additional layer of security. 2FA is a method of confirming a user’s identity by requiring two of three pieces of evidence:
- Something you know (like a password)
- Something you have (like a phone or security token)
- Something you are (biometric data)
When your end user signs in to their online bank account using their credentials (something they know), they’re sent an SMS message by cell phone with a password to verify their identity. The SMS message is sent outside the context of the Banno application (something they have), making it a two-factor authentication method.
To mitigate the threat of guessed or stolen credentials, Banno requires 2FA for two scenarios:
- It’s the end user’s first time interfacing with your app.
- A new device is being used to access bank accounts.
To get started on the Banno Platform, new end users:
- Sign in to establish their first authentication factor: something they know (their credentials) or something they are (like a fingerprint).
- Create an account using their personal identifiable information.
- Carry over their username and password associated with your institution’s current online banking solution.
- Receive a username and temporary password issued by your institution.
- Designate their second authentication factor, which is something they have (like a phone).
Banno keeps tabs on the devices and browsers that are signing in to user accounts by using device IDs and browser fingerprinting. Whenever end users attempt to sign in on a device that the Banno service layer doesn’t recognize, they are asked to prove their identity using 2FA in case their credentials are compromised.
End users can reset 2FA settings within the Security option on the Settings menu. Your institution can reset 2FA for end users in Banno People under Permissions. This reset is a high-risk action, so institution users must enter their password to reset 2FA for end users.
Passkeys
When end users log in to Banno Apps, they can authenticate with two steps by entering a username and password and completing a 2FA challenge. Both these steps have their own security vulnerabilities that persist despite industry efforts to minimize them.
For end users who log in to Banno Online using a passkey—by clicking Sign in with a passkey—they’re offered a safer and easier login experience that eliminates the need to enter a password and complete 2FA. Passkeys, a standard created by the FIDO Alliance and the World Wide Web Consortium, consist of a public and private pair. The public key registers with the app or website, and the private key stores on the end user’s device in their chosen passkey manager.
Passkeys can be synchronized across end user devices in the same ecosystem. For example, passkeys created on iOS or in Safari on macOS are stored in iCloud Keychain. Passkeys created in Chrome on Android are stored in the Google Password Manager. Development of passkey support by both Apple and Google is ongoing.
The app or website that the end user logs in to—including the Banno Digital Platform—does not store private passkeys. For example, if an end user is logged in to their Google account on their iPhone, they can log in to Banno Online from their Android tablet and use their iPhone to authenticate their identity. Access to private passkeys within an ecosystem’s passkey manager is controlled by the individual end user’s device biometrics that they already use to log in to their device (PIN, fingerprint, etc.). The Banno Digital Platform has no access to an end user’s biometric information.
Offline mode
Institutions can enable offline mode, as well as edit settings and save an offline mode message within Banno People under the Offline mode option on the Settings menu.
During offline mode, end users have access to certain banking features and data. An offline mode banner appears in the app during offline mode and can’t be dismissed. First-time end users who have never signed in before aren’t able to sign in to Banno during offline mode.
Offline mode is disabled by default. When enabled, a Notification message field appears. There is default text available for the offline mode message, but your institution can customize the text. Institution users must be in the Security group and have Manage all of People permissions to edit offline mode settings.
This feature is not supported for credit unions and is not available to Cash Management users.
Device management
End users with a stolen or lost device can log on from a different device and deauthorize the offending device. For mobile clients, this wipes all the user data the next time the device contacts a Banno server. For web clients, this requires a full 2FA login even if the user selected Remember this computer.
Devices that have been used to access Banno Online appear in the Devices section of the Security screen. End users can have their devices deauthorized for Banno Online use in two ways: They can perform self-service action, or someone from your institution can deauthorize the device for them from Banno People. If end users lose a device or if someone steals their credentials, they can deauthorize the compromised device from a separate, authorized device within the Security option on the Settings menu.
Every time a user signs in to Banno Mobile and Banno Online, information about the device they’re using is passed along. Users can see the computers, phones, and other devices that are currently using or have recently accessed Banno. This can be used to make sure than no one else has signed in to an account.
Managing devices
- Settings
- Security
- Recently used devices
Users can review the list of devices that have been used to access their accounts by signing in and navigating to Recently used devices.
Devices that are phones and tablets are listed by the brand name, version of the operating system, and the version of the app installed on that device.
Browsers that have been used to access a user’s accounts are shown by the brand name and version of the browser along with the operating system name and version.
Removing devices
If a user no longer has access to a device that was previously used, they can remove that device’s access. This will invalidate the token on that device. On mobile phones and tablets this will force a signout and a deletion of locally stored data. In browsers, the existing session will be terminated.
If a Banno Online user has opted out of a two-factor authentication prompt on every subsequent sign in using the same browser, removing that device will result in the user being prompted to complete the two-factor authentication challenge should they use that browser again in the future.
Due to the ever-increasing threat of account takeover, device removal was made a high-risk action in June of 2024. This is primarily to help prevent fraudsters from removing the devices of legitimate users after gaining access to their credentials. Banno Online began enforcing this in early June, and Banno Mobile started enforcing it in version 3.14.
High-risk actions
A user can do a lot with Banno Apps and Banno Enterprise, but not all actions are created equal. Some actions are more risky than others, such as transfers to an external institution. For instances that could compromise the security of your users’ accounts, Banno apps require an extra level of authentication. We call these actions “high-risk actions.” Want to know what actions are included and how it works? Read on.
When Banno Apps and Enterprise detect a high-risk action, the user is prompted to re-enter their password. The user must enter a correct password before continuing the high-risk action. After a high-risk action is completed, an an email is sent to the email address on file for the account.
Within the *Security* section of *Banno People* (only available to users with the *Manage security settings* permission), there are three choices for handling high-risk actions on a new device:
- Allow all high-risk actions on new devices
- With this option selected, there is no additional security added to performing a high-risk action on a new device. So long as the user has the means to pass the high-risk challenge, they can perform all actions immediately on a new device.
- Waitlist new devices from high-risk actions for 7 days
- With this option selected, new devices are prevented from making high risk actions provided the end user has another device that has existed for over 30 days. These devices are prevented from performing these actions for 7 days, or until they contact your FI and request the device be manually unblocked. This does not prevent net-new users from performing high-risk actions on their devices.
- Block high-risk actions on all devices
- With this option selected, all high-risk actions are blocked indefinitely for new devices. New devices can only be unblocked by contacting your FI to unblock the new device. This option includes a date selector, with the current date selected by default. This represents the date after which all newly enrolled devices will be blocked. This is best used when an intrusion attempt occured several days prior, allowing your FI to block all devices enrolled after a certain date.
Blocked devices can be unblocked via the end-user's profile in *Banno People*. When an end user has a blocked device, an alert will display at the top of their profile notifying you that the user has devices blocked from completing high risk actions.
You can access their devices by clicking the button on the notification or via the security tab. Each blocked device has a subscript notifying you that the device is blocked, alongside a link to allow the device.
Banno apps maintain a balance to ensure high-risk actions include significant actions, but aren't so prevalent that they frustrate the end user. It can be hard to keep track of which actions are high-risk, so we've compiled a list below.
All users
- Changing password
- Changing username
Banno Mobile/Online only
- Edit username
- Edit user address
- Edit user email
- Edit user phone number
- Reset 2FA
- Remove device Note: Enforced as a high-risk action on Banno Online™ as of June 2024 and on Banno Mobile™ beginning with version 3.14, which is currently slated for release by mid July.
- Adding an external or aggregated account
- Adding or updating a bill payee
- Adding an external transfer account
- Accessing the iPay SSO
- External transfer over a given amount, if configured
- Enroll in Symantec
- Initiate Wires and ACH Batches
- Zelle
- Payments to a first time contact
- Accepting a request for payment
- Creating a contact
- Adding a recipient
Enterprise only
- Changing 2FA settings, including reset for a user
- Managing security settings
High-risk action FAQs
- Why is a password required instead of receiving a 2FA code?
- 2FA is only used to log into the app. Re-entering the password provides an additional security mechanism. It helps ensure the authorized user utilizes the app and prevents an unauthorized user from hijacking an account.
Once logged into the app, using password entry prevents (for example) another individual who steals the user’s phone and attempts to create a payee. If they receive a 2FA code, the code comes to the very phone the unauthorized user’s on, and they create a new payee.
- How long are users considered high-risk authenticated?
- Once a user completes a high-risk authentication, including during login, they will not have to re-authenticate for high-risk actions for the next 10 minutes.
Multiple signed-in users
End users can sign in to multiple user profiles and quickly switch between them by using a PIN instead of entering a username and password. They must add a profile to create secondary accounts so that they can switch between profiles easily. After adding a profile, multiple signed-in users appear at the top of the main menu, or selecting Switch lets them switch between the profiles and view the user list. End users receive push notifications for all signed-in profiles.
Rate limiting
Rate limiting occurs if an IP address appears to be suspicious. IPs that have high failure rates and a high percentage of failures are blocked until such a time as they quit attempting to login for some time. The exact specifics of this criteria is not shared publicly and is adjusted over time. Institutions can monitor their current overall rate limiting on the dashboard of Banno Reports.
Surprisingly, rate limiting is commonly triggered by employees at financial institutions that have recently converted to Banno entering invalid credentials. To combat this, internal network IPs of your institution are requested by Banno implementation coordinators so that they can be whitelisted.
FAQ
- When an end user chooses how to receive a 2FA code, one of their options is to select “Text message/SMS (2FA program)”. Can an institution remove “2FA program” or customize the text?
- The text cannot be removed or edited, because cell phone carriers require listing a program name.